Evaluate the IT staffing requirements regularly.

UCF ID: 00775

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg A-3; FFIEC IT Examination Handbook – Management, Exam Obj 2.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 4; Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § 9(f)(2); National Incident Management System (NIMS), Department of Homeland Security, December 2008, Chap III.B.2.c; CobiT, Version 4.1, PO4.12; The Standard of Good Practice for Information Security, SM2.2.5(a), SM2.2.5(b), CB2.1.4(e), UE1.1.4(f); OMB Circular A-123 Management’s Responsibility for Internal Control, § II.A; PCAOB Auditing Standard No. 2, ¶ 117 thru ¶ 121

Sarbanes Oxley Guidance

Management should clearly state its commitment to hiring competent personnel and support the organization's policy for hiring new personnel. [§ II.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

The auditor should evaluate the objectivity and level of competence of the individuals performing the work of others. The factors the auditor should use in determining objectivity include the organizational status of the individual performing the work and policies prohibiting individuals performing the work from testing controls in areas where they worked in previously, where they are being assigned, or where their relatives are working. The factors the auditor should use in determining the level of competence include professional experience, educational level, professional certifications, the quality of their documentation, and an evaluation of their performance. [¶ 117 thru ¶ 121, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

[Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should have the proper expertise to make decisions about e-banking and network security. [Pg A-3, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Obj 2.1, FFIEC IT Examination Handbook – Management]

Operations management should ensure the organization has the proper staffing in terms of experience, numbers, and skills. [Pg 4, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

[§ 9(f)(2), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

The Incident Management System has national standards for the qualification and certification of emergency response personnel. These standards ensure the personnel meet the necessary minimum knowledge, skills, and experience required. [Chap III.B.2.c, National Incident Management System (NIMS), Department of Homeland Security, December 2008]

General Guidance

The organization should periodically evaluate the staffing requirements to ensure they are consistent with the organization's security policy. [¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13, AICPA Suitable Trust Services Principles and Criteria]

The organization should evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has a sufficient number of competent IT staff. Staffing takes into consideration colocation of business/IT staff, cross-functional training, job rotation and outsourcing opportunities. [PO4.12, CobiT, Version 4.1]

The information security function should be adequately staffed with the appropriate number of personnel and skill levels. A sufficient number of individuals should be involved in the administration of applications in order to handle the workload at all times. [SM2.2.5(a), SM2.2.5(b), CB2.1.4(e), UE1.1.4(f), The Standard of Good Practice for Information Security]